People operate a variety of software-based technologies when performing business and/or personal tasks. It has become increasingly important for software program developers (e.g., hardware, software application and/or operating system component developers) to ensure security and integrity for computing tasks involving critical or sensitive data, particularly in the face of sophisticated threats (e.g., malicious software code). Software vulnerabilities, whether benign software code defects (e.g., bugs) or exploitable software code (e.g., buffer overflows, format string vulnerabilities and/or the like), may be exploited by such threats causing a number of problems for valued customers.
Software programs (or simply programs) often execute code and access resources via an operating system running on a computing device, such as a mobile phone, a desktop/laptop computer, a tablet device, a smartphone and/or the like. Conventional operating systems implement at least some isolation policy for securing data, such as a per-user isolation policy where users are isolated but each user's software programs run in a same isolation container or an application isolation policy where different software programs are isolated from one another. These isolation policies and other known isolation policies, however, are insufficient for protecting the computing devices from modern security challenges. Mutually distrusting content may interfere with one another, especially when processed by a single software program. To illustrate one example, attacker-crafted image data can compromise a photo editor program and misappropriate all images processed by that editor program. Furthermore, such isolation policies rely upon the user to make important security decisions, which places an unnecessary burden on the user and often results in failure when the user makes an incorrect decision. The isolation policy is a critical operating system security feature and notwithstanding perfect isolation mechanism/containers, an ill-designed isolation policy renders the computing device insecure.